Barely recovering from the WannaCry ransomware attack, many across the globe now have to deal with the latest ransomware attack, NotPetya. Originally thought of to be the Petya ransomware for making money, security analysts quickly realised that the current cyber-attack was not designed to make money. It appears that NotPetya has actually just been designed to cause maximum damage, while disguising itself as ransomware.
You know you’ve been affected by NotPetya if you receive a message that your files have been encrypted with a demand to pay US$300 in Bitcoin. Unlike with WannaCry there is no ‘kill-switch’ with NotPetya. A ‘kill-switch’ enables tech-wizards to infiltrate the malware and stop it from encrypting data or causing damage.
The NotPetya ransomware has affected large organisations all over Europe and the US, with the Ukraine to have been hardest hit by it. See this timeline for some high-profile attacks and how NotPetya has unravelled.
In South Africa, there is currently no legal obligation on companies to notify anyone, either a local authority or customers of the company. Barring any confidentiality or similar contractual obligation that companies may have to customers, companies do not have to publicise their breach. However, once the Protection of Personal Information Act 2013 (POPI) commences there will be an obligation on organisations to report data breaches to the information regulator and customers; and once the Cybercrimes and Cybersecurity Bill is enacted there will be new offences created that will make cyber-attacks and breaches illegal in South Africa.
South African companies with affiliates or headquarters in other jurisdictions may currently have notification obligations in terms of those foreign laws, so bear this in mind if you have been affected by NotPetya and have operations overseas.
Companies may also notify people potentially affected by a data breach as a policy decision or good practice, although proper legal and public relations advice should be taken before doing so.
By Kerri Crawford (SA) and Rakhee Bhikha
First published by: Financial Institutions Legal Snapshot